# Vulnerability Disclosure Policy

**Asteas Technologies GmbH — IACBOX**

*Published at: [https://www.iacbox.com/iacbox-vdp.txt](https://www.iacbox.com/iacbox-vdp.txt)*

*Last updated: June 2026*

---

## 1. Introduction

Asteas Technologies GmbH ("we", "us", "our") is committed to the security of our products, our customers, and the broader internet community. We recognize that independent security researchers play a valuable role in keeping technology safe, and we welcome the responsible disclosure of vulnerabilities in our products and services.

This Vulnerability Disclosure Policy describes how to report security vulnerabilities to us, what you can expect from us in return, and the guidelines we ask you to follow. We are committed to working with the security community through a coordinated vulnerability disclosure process.

## 2. Scope

This policy covers security vulnerabilities in the following:

- **IACBOX product family** — all hardware and software versions of the IACBOX platform, including firmware, management interfaces, and associated components
- **IACBOX cloud services** — web-based services and APIs operated by Asteas Technologies GmbH in connection with the IACBOX product
- **www.iacbox.com** — our public-facing website and any customer-facing web applications hosted under the iacbox.com domain

If you are unsure whether a particular product or service falls within scope, please contact us and we will clarify.

## 3. How to Report a Vulnerability

Please send your vulnerability report via email to:

> **[security@iacbox.com](mailto:security@iacbox.com)**

We strongly encourage you to encrypt your report using our PGP key, which is available at:

> **[https://www.iacbox.com/.well-known/security-pub.asc](https://www.iacbox.com/.well-known/security-pub.asc)**

### What to Include in Your Report

To help us understand and reproduce the issue quickly, please include as much of the following information as possible:

- **Description** — a clear and concise description of the vulnerability and its potential impact
- **Steps to reproduce** — detailed steps, proof-of-concept code, or screenshots that allow us to reliably reproduce the issue
- **Affected product and version** — the specific product, firmware version, software version, or service endpoint where you observed the vulnerability
- **Impact assessment** — your assessment of the severity and potential impact (e.g., data exposure, remote code execution, privilege escalation)
- **Your contact information** — a name or alias and a reliable way to reach you for follow-up questions (email address preferred)

Please write your report in **English** or **German**.

## 4. What to Expect

We take every report seriously. Here is what you can expect after submitting a vulnerability:

| Step | Timeline |
|------|----------|
| **Acknowledgement of receipt** | Within **48 hours** of your report |
| **Initial triage and status update** | Within **14 calendar days** of acknowledgement |
| **Ongoing status updates** | At least every **14 calendar days** until the issue is resolved |

Upon acknowledgement, we will assign a **unique tracking ID** to your report so that you can reference it in any future correspondence with us.

If we need additional information or clarification, we will reach out to you using the contact details you provided. We ask that you respond in a timely manner so that we can continue working toward a resolution.

## 5. Safe Harbor

Asteas Technologies GmbH will **not** pursue legal action against security researchers who discover and report vulnerabilities in accordance with this policy. We consider security research conducted in compliance with the following guidelines to be authorized, good-faith conduct:

### Good Faith Guidelines

- **No data destruction** — do not delete, alter, or corrupt any data belonging to us or our customers
- **No data exfiltration** — do not access, copy, or store user data beyond the minimum necessary to demonstrate the vulnerability (proof of concept only)
- **No disruption of services** — do not degrade, interrupt, or deny service to our users or infrastructure
- **No disclosure before coordination** — do not publicly disclose the vulnerability before the coordinated disclosure timeline described in this policy has been followed
- **Stay within scope** — limit your testing to the systems and products listed under Scope above
- **Comply with applicable law** — act in accordance with all applicable laws and regulations

If you follow these guidelines, we commit to:

- Working with you in good faith to understand and resolve the issue
- Not pursuing civil or criminal legal action related to your research
- Not filing complaints with law enforcement regarding your research activities

If at any point you are uncertain whether your actions are consistent with this policy, please stop and contact us for clarification before proceeding.

## 6. Coordinated Disclosure Timeline

We follow a coordinated disclosure approach:

- **90 calendar days** from our confirmed acknowledgement of the vulnerability, or
- **Upon public release of a fix** — whichever comes first

After the disclosure deadline, you are free to publish details of the vulnerability.

If we determine that more time is needed to develop, test, and deploy an adequate fix, we may request an extension. Any extension will be discussed and agreed upon mutually. We will always communicate the reasons for a requested extension transparently.

We will notify you when a fix is available and coordinate the timing of any public advisory or disclosure with you.

## 7. Recognition and Credit

We believe in recognizing the contributions of security researchers. Unless you prefer to remain anonymous, we will **credit you by name or alias** in any security advisory we publish related to the vulnerability you reported.

Please let us know your preference regarding attribution when you submit your report, or at any point before publication.

> **Note:** We do not currently operate a bug bounty program or offer monetary rewards. However, we may consider introducing such a program in the future. Regardless, we are genuinely grateful for every responsible disclosure and will always acknowledge your contribution.

## 8. Out of Scope

The following types of issues and activities are **outside the scope** of this policy:

- **Social engineering** — phishing, vishing, or other social engineering attacks against our employees, contractors, or customers
- **Physical attacks** — physical intrusion, theft, or tampering with hardware at our offices, data centers, or customer premises
- **Denial of service (DoS/DDoS)** — intentional attempts to overwhelm or disrupt our services through volumetric or resource exhaustion attacks
- **Spam** — issues related to unsolicited messages, email spoofing (without a direct security vulnerability), or similar nuisances
- **Third-party services** — vulnerabilities in third-party products, services, libraries, or infrastructure that are not under the direct control of Asteas Technologies GmbH

If you find a vulnerability in a third-party component that is integrated into one of our in-scope products, please report it to us and we will coordinate with the relevant third party as appropriate.

## 9. Legal

This Vulnerability Disclosure Policy is published in compliance with the requirements of the **EU Cyber Resilience Act (CRA)** (Regulation (EU) 2024/2847), which mandates that manufacturers of products with digital elements provide a clear and accessible means for reporting vulnerabilities.

By submitting a report, you acknowledge that you have read and understood this policy. This policy does not create any employment, agency, or partnership relationship between you and Asteas Technologies GmbH.

---

**Asteas Technologies GmbH**
Product: IACBOX
Website: [www.iacbox.com](https://www.iacbox.com)
Security Contact: [security@iacbox.com](mailto:security@iacbox.com)
PGP Key: [https://www.iacbox.com/.well-known/pgp-key.txt](https://www.iacbox.com/.well-known/security-pub.asc)